Skip to main content

tv   Key Capitol Hill Hearings  CSPAN  November 20, 2014 10:00pm-12:01am EST

10:00 pm
to collect that information, sir. t10 >> >> it was a question that came up of of nitrate
10:01 pm
propellant. wouldn't that blowup? a culprit is a chemical engineer working at the plant. the answer was, not if it stays in the right phase. okay. in addition the media reported various problems at the takata plant in 2001. secret air bag test in 2004 so why didn't takata take action on any of these concerns regarding the use of ammonium nitrate? >> guest: let me briefly explain about that.
10:02 pm
ammonium nitrate there are several vintages using it. also to the end users also. but because of the chemical properties it is sensitive to moisture. and if not well controlled to administer the program. they performed or they will not perform as designed and of course, that could influence the combustion. but talk about two when
10:03 pm
knowledge ammonium nitrate stays stable during the process and also in the environment. so if we produce that which is under control that will be stable. the law at the end with some occasion. >> mr. shimizu i did not interrupt you to give you every opportunity to answer the question.
10:04 pm
you did not answer the question. if you knew as far back as 2001 that takata was doing the secret air bag test with ammonium nitrate in 2004 with their own engineers as quoted in today's "new york times" saying what they said about a motive nitrates, and then -- senators? any questions for the second round? >> until a couple days ago actions were limited to that achievement states but three of four deaths from exploding air bags as oklahoma and virginia and california not the cheapest
10:05 pm
they've set the recall applied to. south dakota and minnesota or massachusetts could have been in that category. when my a staff asked nhtsa they were told because it was a different manufacturing problem years ago but they had not been repaired. just one problem with the explanation of their look at the vehicle identification number said database says that the cars were repaired after 2011. so either your recall database is wrong or the air bag was replaced with the different defective air bag
10:06 pm
or it did in its still killed someone two years later. so which of those three options is it? >> i believe it is option one the web site has deficiencies as multiple recalls with the same vehicle our system would bring up of message of recall completed for those that were superseded and then due to report to tomorrow to take katydid is an embarrassing problem that we have that technology problem on our web site. >> talk about the safety is someone buy a honda on the recall database it alleges
10:07 pm
completed even though it was not. and the public should feel confident they have the family member driving those vehicles and i am bound and determined to make sure it will not happen again. >> title they get make sense for a passenger air bag otherwise the passengers are just in the back seat because they are running a huge risk in their waiting to get a passenger in our country. >> gentlemen you need to know i will be meeting with
10:08 pm
secretary fox and i will request of him that he impose the maximum penalty allowed by law even if that is $1 billion per day for the automobile companies if you were not providing a loner or rental car to the folks who potentially would be driving a death trap is says simple as that. but senators we need to move to the next teeeighteen. >> just one quick question mr. shimizu. what is the maximum number of replacement parts you could provide per month? >> we previously from the
10:09 pm
mexican market 300,000 per month but it could increase 450,000 per month in january. that is a fact right now. >> one more question, what steps have you taken to improve the assembly of the container that senator nelson showed you? to make its leakproof and water proof for resistant to water or humidity? spee make --. >> we are discussing ways of our car makers that it is
10:10 pm
safe if they care about and how do we prove that a robust nature? >> okay gentlemen thank you for your participation today. the deputy administrator of the national highway traffic safety administration, the nhtsa. [inaudible conversations]
10:11 pm
>> where is mr. friedman? >> welcome. have you heard the testimony in the answer room? digest mr. chairman i have.
10:12 pm
>> what we will do is forgo your statement because of the lateness of the hour you can make your points in response to the questions i will defer my question is to do cleanup at the end. >> mr. friedman. we are here today to discuss another failure with the automobile industry with the faulty takata air bags is just of series of defects held by the house this year. could you shed some light why we're seeing such a flood of automated safety issues recently and do you believe this experience indicates a broad and systemic problem within the automobile and industry? >> one of the reasons why is
10:13 pm
it is running scared. it realizes that teeeighteen is pushing hard for a new normal to recall vehicles quickly to notify quickly they're also very concerned as they should be of batches congress has taken to shed light on the industry and also reacting to media attention. it is the shave it took all of this attention for them to do so. i called them to washington to talk about the need of the new normal for recalls no more high 88 behind information or attorney-client privilege or waiting to prove beyond a
10:14 pm
shadow of a doubt there is a problem. they need to act much more quickly and nhtsa these draft more aggressively to keep them in line as he had done this six -- the $360 million. >> with the examination into the scope and timing of the recalls of the driver's side air bag that insufficient information that honda failed to make timely decisions from information was provided. what was that insufficient information and what you know, now should the agency have kept that open? >> we're just beginning to look into those details. i expect they will provide more details going forward. but my current understanding
10:15 pm
that takata identified with the manufacturing problems. it doesn't have good record keeping because further down the road they had to update their submissions with recalls indicating they did not provide that information that is a key reason demanding enduros the answer can provide details about all of the recalls we need every bit of that information. with a failed to live up to that lobby will hold them accountable. one thing that we would like to see is a significant increase to hold them accountable. right now we're limited at
10:16 pm
$35 million for a single infraction. that is pocket change. we are asking that is increased at 300 million if we give of that authority. >> but what you are saying is the failure to disclose the information to shed additional light that you satisfied all the questions that you have? >> that is a failure on there part? >> that is why we demand they provide this under oath stood back senator olson and i are introducing legislation today to incentivize individuals of serious allegations of noncompliance with motors safety laws to blow the
10:17 pm
whistle to government regulators if that leads to an enforcement action where more than $1 million of sanctions is involved receive up to 30%. is that a concept you can support? >> every bit of evidence can lead us to routes out those problems. one of the things that is crucial in general is to ensure we have the resources to follow up of those. this year above we had 70,000 consumer complaints we have 6,000 reports per here we need more people to follow-up.
10:18 pm
>> i agree. you do need more resources. and thanks to senator soon to push forward on the question of the whistle-blowers. senator clovers are? -- talk about the victim in our state that was permanently blinded she was driving her bmw in 2013 but this is been going on for so long talking about problems with takata in 2004 and here it is 2013 according to the family they never received confirmation from teeeighteen that their case is reviewed i don't know what follow-up action but if
10:19 pm
anybody ever reviewed the complaints filed by the family? >> we're looking into this as we speak but we put eyes and every single complaint that comes through our web site or hot line. and the follow-up to piece together that is provided. i can tell you exactly what happened. >> obviously that happened after this happened that is why we are concerned now we're into this week calling it expanded beyond recall
10:20 pm
some actually spend there winter months in the southern states they drive down there and they drive back. they ran not included in the previous regional recalls and did not think there was a need to include those types of vehicles. >> a couple of charts can help make that clear. this is a chart of the united states indicating the median to point temperature that shows the total amount of water in the air. all of the initial incidents occurred, occurred in these regions or in p.r. that is
10:21 pm
even more stupid so that caused us to open this investigation. we started with three complaints and reacted rapidly and connected the dots with three different car companies all three had air bags from takata. we had those recalls within days. so we pushed the auto industry we need to get out there for those airbags to figure out if this is a broader problem?
10:22 pm
initially we were working with starry. pardon me to reinforce the concepts related to exposure of temperatures and high humidity. >> all florida or just the southern part? >> whole levy is. -- only these but there is an incident california and when that happened on that acted for their recall to that area that could have been the allied air. but at the end of last month we received a complaint from
10:23 pm
north carolina reacted quickly and reached out to verify that was in fact, air bag problem. now the pattern is brooklyn all of the incidents were originally around here and here. area of much lower temperature and humidity. all audit makers involved recall those vehicles. >> so my question is expanding those types of cars it is an issue for this family and in 2010 they sent a letter that is under though honda recall that the
10:24 pm
bmw vehicles were not affected. did this happen with other manufacturers as well? >> i believe that is accurate. one of the things that needs to change to be more effective is to do a better job that when you have a common supplier to keep their data to themselves stiff neck and a legally share this information? >> when i called all to walt -- all told lawmakers without violating antitrust laws to share critical safety affirmation. -- information. and talking about them about takata at the time because both in the gm case and the takata case it is history the ad industry and their
10:25 pm
suppliers. >> okay maybe that is something we can work on. >> of course, you're rich and testimony will be a permanent part of the record. >> mr. friedman how do you justify calling a mandatory nationwide recall of takata driver's side air bags with voluntary and regional recalls of the passenger side? these are not voluntary period. each to the car companies said these to consumers.
10:26 pm
end actually i was frustrated at times that this was a service. this is a recall and. >> why did not have to say a recall for passenger side? >> that is based on the data. and we did not want to be in a position to wait. [laughter] make back. >> but her sister died in a passenger side air bag. so what do you tell her and her family about her sister and everyone else's sister that sits in that same passenger seat and that she
10:27 pm
has lost her sister? why are the passenger side air bags not being recalled? and it was in a nonhuman did stay. for every passenger side air bag. >> give us the details of what happened and. if we can get information on new outside those regions if there is data out there we will always follow the information that's why we push the automakers to test this.
10:28 pm
that without information there requires us to act based on a reasonable risk. for those outside those areas that i cannot force the automakers to recall. >> but potentially what you are doing. >> it was 110 or 120 degrees. southern california or to texas they could be driven to florida. you don't know. it could be a used car.
10:29 pm
just knowing that these vehicles moved from state to state. the pretty much every state in order to escape the cold in the winter. we know that. once they hit those conditions an accident could have been so greedy to recognize the global nature of our society. the danger is i don't want to except there is no risk in arizona or other states. outside those two areas. i dunno why they say that the lease that will happen is no other family member will suffer the same fate?
10:30 pm
>> and then to put safety first. the right now the challenge center is the u.s. meet you do then to put somebody's life their risk in florida based on a lack of information elsewhere. >> but today takata does not support to your recall. >> they don't. said today whether or not they support the nationwide recall they cannot give an affirmative act -- answer. that is a frightening response for the company is headed is responsible to ensure the danger of the air bags is made public. you should err on the side of safety.
10:31 pm
finally, but it's some are so dangerous but to warrant the passengers not to sit passenger seats. was toyota right to warn owners in that manner? >> one of the previous issue's let me be clear the median indicates the median failure is tenures. it does not indicate you face the say rent -- risk. >> cancer the toyota question before my time is up spinach you could drive without someone in the passenger seat but even if you do if there ruptures it is in danger there for to
10:32 pm
put a label on that vehicle do not put anyone in this passenger seat is a way to protect the driver sped next year pretoria's plan to do that? ltd. is not approval their defective parts of their broken parts cement then why did you tell other manufacturers? >> we did not approve this one way or another. >> here is the letter that came to a toyota that surgery knowledge of the notification to the nhtsa of a safety recall conducted pursuant to federal law and
10:33 pm
what we're referring to is the air bag that is in discussion. but as the interim and measure with the front passenger air bag will say the front passenger seat and tell it is installed. >> that is accurate. so with not then why not go to every ither manufacturer to warn people of the passenger side air bags? >> there may be some confusion that is called the recall acknowledgement letter x. it acknowledges to them what they told us. that is our way to the
10:34 pm
decisions they have made and to make knowledge those steps. >> but it says to meet you see yourself as detached of the decision made of the manufacturer of the vehicles that has the same type of takata air bag of catastrophic consequences. i understand how you can hold the manufacturer to the implementation to say this is the warning bell going off that is true lies is so dangerous to have the same responsibility of those their bags so i just say to you from my perspective there is a higher responsibility as an agency.
10:35 pm
thank you, mr. chairman chairman. >> you will like knowledge because you heard the testimony today that each of these automobile manufacturers are handling their recalls in a different way. which is all the more adding confusion per car you heard chrysler say they will not start until the middle of december. so you have to have concerns with those of lawmakers to respond appropriately. >> so of previous cases but i don't except there is any reason why they should wait to notify consumers about these recalls and consumers need to know there is a risk in chrysler vehicles because of these air bags.
10:36 pm
>> do they have the ability to replace the defective their bags? best buy we have authority under law to accelerate. if we determine we have to close to put into place to require them to act. we're in process to determine that exact question. increasing the up that 500,000 per month. if we find they could do more and do so absolutely we can order them to accelerate the remedy if they don't we can find them.
10:37 pm
>> is somebody is driving around in a death trap isn't that enough evidence to get the air bag replaced to stick it to the manufacturers for the penalty? >> their requires to demonstrate said they could do more. so they started from the beginning to contact other suppliers to step up to supply more air bags. >> if you could meet corey from central florida from a fire fighter that has no ability because he does not
10:38 pm
have an eye as a result of a piece of this shrapnel. this seems that would give you though legal authority to replace those affected their bags. >> thank you for being here today. i take your comments about going after the automobile manufacturer to push them. what about your responsibility? you heard the head of takata the maximum is 300,000 replacement parts per month. the hope is to go at 450,000 a their unwilling to commit to more than 300,000 replacement parts per month.
10:39 pm
it will take three years with the hope it will take more than two years. isn't that unacceptable? so will you commit under the motor vehicle safety act to order the card manufacturers use replacement parts from other makers of air bags. >> we will use all of our authority. >> i know one of a cancer. i just want yes or no. it is a pretty clear question you'll use all your authority to do the right thing i want to know to the
10:40 pm
secretariat of to dissertation you will order the automobile and manufacturers use replacement parts even if that means takata shows proprietary information so they are kept safe on the road. >> absolutely i will if i can. >> how long does it take to make that determination? >> asking their capacity with the compatibility is there may need to be test the kiss each is to end for each car that there would be safe they have an expert they need to be involved spare iraq but --.
10:41 pm
>> but it says what capability they have for replacement parts. you have the power to order them to break exclusivity to share proprietary information i want to know when you will finish that determination. >> i will that we have to put the safety of those replacement air bags first we will do so as quick as humanly possible with resources congress has provided us. >> mr. friedman would you agree there is more than sufficient reason to believe nhtsa was not furnished with enough information about these products?
10:42 pm
>> i cannot judge a case but because of the exact same concerns but the star gut-wrenching. >> i know you have fast for the information under oath but does say prosecutor it was probable cause which was enough to indict. >> i'm not of lawyers led not probable cause but i don't trust takata has provided us of accurate information that we don't always get the information that we need. i have serious concerns and
10:43 pm
will hold them accountable. >> so far of the information the maximum penalty is in the range of $30 million. those funds a automaker accountability act to lift that $35 million cap. du support that legislation? >> we will take all of the authority that you give us a gimmick to support the legislation? >> we want it raised its bid mcfadyen said yes? >> me personally david fried didn't -- friedman did you give me that authority i will. >> what about the current acting administrator said it
10:44 pm
may be inadequate for some cases where people have died as a result for failing to report sufficient information? >> no doubt the greater power we have to keep them establishing the new normal to provide all the information they need and quickly act on that to never fight to us when we provide them with data like said driver's side air bags that need to happen nationwide. >> lifetime has expired. i want to finish by making a request that by the beginning of next week you come back to this committee committee, in writing after consulting with the secretary how quickly you have a determination as to other companies that can
10:45 pm
provide these replacement parts in the view will recommend the timeline for finishing that process i hope that is measured in days, not weeks. and of the secretary of transportation i have talked to him on a number of locations, shares our concerns, very strongly share is about the american public and i commend him for not only sharing those concerns but acting as the nhtsa administrator. i would like you to give us a date by which you make a recommendation has -- as the replacement parts will be accelerated under the motor vehicle safety act so americans can be provided with those replacement parts as quickly as possible otherwise we will wait
10:46 pm
between two in three years under the most optimistic estimate for americans to be safe on roads with these air bags because they cannot be replaced if there are no parts to replace them. thank-you. >> mr. friedman i agree that you don't have the resources that your agency needs. and i feel sorry for your successor food has now been named by the president because as he goes to the confirmation process company list to say there will be a lot of questions asked of him with regard to the conduct of your agency going forward. to put this into context of the amount of vehicles with takata airbags worldwide his
10:47 pm
close at 100 million but in the united states it is something like 30 million. it could be a problem of gargantuan proportions that will need the aggressiveness of the federal regulators to protect the public. we appreciate the hot seat you are on. i will visit with your boss and ask him as i have said earlier to those to drag their feet or do not answer questions with financial penalties and then try to change the lot to eliminates that cap. thanks to everybody for participating.
10:48 pm
and before i richard, let me say the record will remain open for 10 days and all witnesses are expected to answer any and all questions for the record from the members of this committee. >> i apologize can i say one more thing? this is an agency of people who wake up every day with nearly 100 reminders of how we need more resources and to work harder to protect the american public because every day 100 people died because of drunk driving, distracted driving, a vehicle defects, each hour we come to work with over 200,000 reminders of people injured injured, every year from more resources and continue to improve and act to save
10:49 pm
people's lives. that is what every employee from nhtsa rededicate to protect the american public. read welcome their support and the added resources. we will act aggressively to protect the american public's image we appreciate that and your dedication of the federal employees who often areot given that appreciation. so now we have a new problem that we are addressing. that in the fact in front of a driver or passenger and it must be addressed immediately.
10:50 pm
thank-you and the meeting is adjourned. [inaudible conversations]
10:51 pm
10:52 pm
in several countries said the ability to infiltrate critical infrastructure systems. this hearing is chaired by the congressman from michigan. [inaudible conversations] >> we will opal the committee to order an end to some members are coming in and out that we appreciate you being here. today the house intelligence committee meets as well as ongoing efforts to protect
10:53 pm
our nation. a witness as the director of tsa as you can not having enough right rockers. >> we appreciate the hearing but these are the threads every phase. i was set at havana but to see them grow in. >> but to do with i do a health risk can confirm a said french aircraft a measure it is turned suffer
10:54 pm
this great detail as possible that those that play on the american companies. we want to raise awareness in advance the debate with said the government needs to do to redress but because of the chinese government for the industrial but to be campaigning the of the cybersecurity committee been nobody talks they were fearful of this raises a rent would punish saddam and to have the public spect and
10:55 pm
also what needs to be done? to this the and the art economics future touche said the problem is not the the cyberthe with those services tax done the fish network but to make those attacks their very but the government were down more
10:56 pm
than 30,000 computers a a an critical infrastructure operations. they are probing america as critical infrastructure networks and have gained access to those control systems. it is attributed to russia as on the industrial control
10:57 pm
systems. this is to shut down vital interest and water distribution and systems. not aware yet where hacker gained access to cause damage to infrastructure but would not take much comfort in that. our adversaries have the ability to causes damage to lack a strong motive to conduct such an attack and are deterred only by the fear of u.s. retaliation. the critical infrastructure networks are extremely vulnerable when we cannot count on a deterrent if we are already in the adversarial position like china or russia. we cannot count on the fact that less rational actors need access to the critical systems. it is not hard to understand its power was shut off but
10:58 pm
to the financial transaction is. and then what they owe each other from day to day would be chaos. it with those resources same capabilities in to have an obligation to the private sector by sharing this information about potential attacks before they have been. we talked today about the vital issue and hoping we can focus attention on the need to pass cyberthreat legislation before the end of 2014. request me ready for of
10:59 pm
attack and then they left to start from scratch next year with the threats that we face as an unnecessary and dangerous delay to protect privacy on national security. the queue for being here now i will turn over to the ranking members. >> we let the american people know how serious the threat is. they key for appearing before us today you have done a tremendous job and it has been six months or seven months earlier willing to work with you to make sure you get the resources that you need to protect our country. we have been sounding the alarm on the cyberthreat for years and we have led twice with legislation that would
11:00 pm
in 2012 lee warned of the incoming danger as it suffered a devastating separate attack erasing 30,000 of the computers replace to the pitcher burning the american flag. cyberattacks hit the united states to bring computers including the department of defense the u.s. treasury indigos on. but still the full congress did not act. spread further to the private networks. target was hit within jpmorgan was hit as well then bank of america. fyi 2012 the department of homeless security responded 198 cyberincidents across sectors and of those were energy sectors it continues
11:01 pm
to bear the brunt of the separate tax because it is the achilles heel. the attack within days shockwaves through the country. so it triggered a black golfer 50 million people. think of why a separate attack would do. the danger is not waiting what is the congress waiting for? banks to the bipartisan committee the house passed legislation to fix a dangerous gap in the cyberarmor and the ability to share its formation between the public and private sector it owns 80% of the internet that makes it difficult for the government. right now if your house is broken into you called 911 but if a company gets a cyberattack they cannot call
11:02 pm
all line at the same way. on the other hand, currently there is no legislative framework emplace to share with the private sector it is like hearing in seeing hurricane sandy but cannot warn anybody is coming. cyberlegislation allows two-way information sharing has the description of the of burglar. that is what is shared. we have been working very closely with senator feinstein. and we need to move quickly to reconcile and pass legislation.
11:03 pm
but thank you for taking the time the thank you for having the open hearing so we can get legislation. >> it is good to know you have not bumped into anything. met each german members someone to talk today on a critical mission. i would give but i would start but that is the last time i suspect i will testify but i thank you with this other and the ship for
11:04 pm
that and it says the nation will end i think fed makes me. >> but those cyberintelligence but the bill was literally costing us hundreds of billions of dollars isn't. also highlights the back to
11:05 pm
academia to redress the challenge. but then we can wrap that tissue move and her in june for but did to richer those concerns.
11:06 pm
what i try to focus on? spee i bet to respond in defeat those efforts with the private side in addition to insure that expertise is available to help the private sector with that a per-share value and -- how you defend yourself. from the u.s. said your
11:07 pm
protective and then to be irresponsible the very comfortable with the progress in the plan. delete. >> to report the into the defensive?
11:08 pm
but for that activity in time, a 40% that they're progressing well and are continuing through this. but i remind people it is a journey wondering why we ran up and we're all trying to learn the cyberis an environment. so with that i will answer any questions on any topic. >> your last comments i
11:09 pm
would ask then if you get the orders to reduce that. could thus was that had the offensive will fifth? they have a specific technical. >> thank you. a couple comments. first the workforce to be composed of military so that gives us the opportunity to have the broad swath. if you come out to the security agency today unc people on t-shirts, jeans, a
11:10 pm
very casual different approach as opposed to the military force. that is a disadvantage of the civilian component of all have to be the same in terms of physical fitness standards of uniformity and others. with a started to work in the department my number one concern was how dreaming tailor-made with interest rates in the department? mask zero as a commander i will tell you i have been pleasance pot -- presently surprised. >> i am understand we have that land but in the field would it be there as well? >> they have the same role.
11:11 pm
it is the pay differential between those who do the same job? somebody said leggett ponytail and flip-flops'. >> i have never heard that. it is about retention. >> so we spent so when your. and then in the private sector so the issues so knock on wood that has exceeded our exhortations. you can look at almost any
11:12 pm
military set it to attract people that are in the eighth dose of culture. and with a service to the nation we will attract people to the idea that matters to this nation. and then we can do some really keeping his. and then with the basis of our culture and model to be of, jr. h with parts of the workforce. ended is pretty clear there to take them with them.
11:13 pm
and then to those cybertrained it didn't have the right type of mindset. in the properties of the private sector? senate does the force of organization and then to provide military members? and then we give that enter authorities for a specific mission. >> they key for being with us mr. chairman. we heard from general car right something analogous to
11:14 pm
cyber. take a few minutes to give us the sense about the key principles of them obviously worried because of the agreements it could take a catastrophe in retaliation is it obvious with those norms would look like duke catalyzed that around the world? >>. >> i strongly concur in then to develop those in this space because absence that to use the strategy to be.
11:15 pm
in with the of admissions success because you yourself referenced there does not seem to be a risk from groups and individuals from those behaviors that we see. there is not of price to pay for it. i would argue more broadly for us internationally. . .
11:16 pm
it is just not a good place for us to be. >> so in addition you highlighted one principle they are on some sort of agreement not to attack a nation's emergency response capability. what else would you suggest? obviously there's a difference between taking down the sovereign internal i.t. capability and trying to steal a commercial secret. at least in the laws of war there's a difference there so
11:17 pm
what else would be isolating america responsibility? >> bears discussion about we want to put in standards for nation-state. if you are going to go down that road you need to step beyond these norms and behaviors and therefore you are opening in yourself up potential repercussions of the idea of critical infrastructure, some discussion about nation-state application against the commercial sector as a way to steal intellectual property for a nation-state game. we argue that is not within u.s. vision. we don't do that. it's not appropriate for the role of a nation-state. i think that would be among th them. going after as i said infrastructure, if you look at going after things that could lead to loss of life, if you look at going after things that could lead to loss of control, that's outside the norms of behavior but those are the kinds
11:18 pm
of things we are having discussions about. how do we build a framework if you will? >> as you sort of look at the discussion internationally happening here do you have any confidence that this debate where this discussion is going to advance and in particular are we going to be able to -- bad actors like china and i ran or is it going to take demonstration of capability against them to get them to the table? >> i don't know is the short answer. i'm hoping it's not the latter. clearly there is ongoing dialogue. the other cop hater in this is i often say people knew -- use the nuclear analogy about how we are able to develop concepts of norms and behaviors. i try to remind people the challenge of the nuclear challenges when we started at work in the ' in the 1950s and 1960s you had the capability to get nuclear weapons controlled by nation-states no individuals or groups by a very small number of nationstates to
11:19 pm
start with initially. that's very different from the cyber dynamic and now we will be dealing with nation-states and groups of individuals. we are dealing with the capability that is relatively inexpensive and so easy to acquire unlike the nuclear kind of model. that will makes this really problematic. >> thank you. >> recently there has been some disclosure of the trojan horse malware for critical infrastructure. can you talk about what the intention may have been an talk about that threat a little bit, if you have any attribution to any organization or nation-states and put it in context about what this really means for the national security interest of the united states. >> we have seen instances where we observing intrusions into industrial control systems. what concerns us is did that
11:20 pm
capability can be used by nation-states for individuals to take down my capability. in fact as you saw with aramco for example to destroy or be destructive but that capability. we clearly are seeing instances where nation-states groups and individuals are acquiring that capability. what we think we are seeing his recognizance by many of those actors in an attempt to ensure they understand their system so that they canned them if they choose exploit the ballmer abilities within those control systems. those control systems are fundamental to how we work most of our structure across this nation. that's not just the united states but on a global basis. they are foundational to almost every network aspect of my life to our water, to our powder -- power and financial sector in the aviation sector just as an
11:21 pm
example. they are so foundational to the way we operate complex systems on a national basis. it's one of the areas when people often say what are the coming trends that you see? i think the industrial control system and the state of peace are big growth areas of full mobility and inaction we will see in the coming 12 months among the things that concern me the most. this will be truly destructive until they decide that's what they want to do. >> it was determined that malware was on both systems. can you be a little more definitive about what does that mean? if i'm on a system and i want to do harm how does that impact the broader spectrum? to the lights go out? do you start pumping water? what does that mean in the fact that it was their does that mean they already have the capability to flip the switch if they wanted to? >> let me ask the last part
11:22 pm
first. they are nation-states and groups that have the capability to do that. there there are systems in and there are those industrial control systems that can shut down forestall our ability to operate their basic infrastructure whether it's generating power across this nation, whether it's moving water and fuel, whether it's moving -- i will highlight those focus areas that we have seen. once you are in the system and able to do that and enables you to do things like. if i want to stop generating power you can do that. if i wanted to segment the transmission system so you couldn't distribute the power coming out of the power station but this would enable you to do that. it would allow you to shut down segmented tailor parts of our infrastructure that forestall
11:23 pm
the ability to provide that service to assist citizens. >> and you have determined that nation-states hate that capability. >> yes sir. >> there was a report that referred to chinese attributed to the chinese government hackers being in some of our critical infrastructure systems. is there any nation-state that you believe has been successful in getting on the system's? >> there are probably one or two other semi-apologize if i couldn't consider that classified in an open hearing. i apologize but i'm not comfortable spelling out specifics but i would say there is more the one nation that we believe has the capability. >> the thrust of that question is to say this is a one off according to the "public report"? there are multiple nation-states who have the capability and have likely actually been on those networks. >> more than one in the other point i would make is we are
11:24 pm
watching multiple nation-states investing capability. >> can you talk about what that means? this is important i think. >> when i say capability we see them attempting to generate insight about how her insights are structured and power systems are configured with specific schematics and most of our control systems down to the engineering level so they can look at the vulnerabilities and how are they constructed and how can i get in to them. >> you mentioned this next group. you have seen the international organized crime organizations certainly starting to develop their capabilities and we have seen in some cases them using nationstates like techniques.
11:25 pm
can you flesh that out for is? you have highlighted the nation-states right? this i would argue is the next one down and gives us pause for concern. can you talk about what that means and why it's so difficult for the private sector to try to defend themselves? >> what we have traditionally seen in the criminal sector was criminal actors and groups penetrating systems and trying to steal information that they could sell are used to generate revenue so credit card information, selling personal information. there's a market out there to sell personal information on individuals. we have been watching them stealing data associated with generating. the next trend i think we are going to see in the coming near-term is you'll start to see i believe in many instances some of those criminal actors now engaging not just in the theft
11:26 pm
of information designed to generate revenue but also potentially as a surrogate for other groups, other nations. because i'm watching nation-states attempt to obscure if you will their fingerprints and one of the ways to do that is to use surrogate groups to attempt to execute that it's one reason for example where watching criminal actors start to use some of the tools that we historically have seen nation-states using now and starting to see criminals in some instances using those tools which suggest to us that increasingly in some scenarios you will see more linkages between the nation-states and some of these groups. that's a troubling development for us. >> so cyber for higher in nation-states. i had a lot more on threats but i just want to ask this last
11:27 pm
question. in this cybersharing reseen in which he talked about certainly what our legislation proposes, there are concerns and i think they are valid without the understanding of the machine to machine real-time millions of pieces of information are packets at the speed up light. how can we assure americans that their personal information is not being read or collected or used by the nsa in that real time machine to machine sharing that would allow you to share what you know with your malicious source code in the private sector so they could protect their own networks? >> i think there are couple of ways. first of all i remind people this is about computer network and not about intelligence. totally different missions with totally different objectives. the second i would make is we need to very publicly sit down and defined what are the elements of information we want
11:28 pm
to pass on to each other we want to make a very public. these are the specific data fields. this is the specific information we need both with the private sector needs and what the government needs. from my perspective is the director of the national security agency when we had for example private information that complicates things for me. there are specific protections i must provide that will slow us down. it's not what we are interested in. that would be a negative for us. he will lead to a slower sharing of information that is not what we want. i've been sitting down and having a very public discussion detailing exactly what we are talking about when it comes to information-sharing. it's one way to do that and also highlighting what we are not talking about. it's not what we want to see. i don't want people's personal data. i'm not interested in a threat i want names and addresses, none of those kinds of things we are talking about in this scenario.
11:29 pm
>> this is not the nsa plugging into the private networks of the united states. >> which is exactly why we need to do this. you don't want nsa in the private network -- private sector network. therefore i'm counting on the private sector to share with us so what i'm interested in for the private sector is what i think i would owe the private sector is here the specifics of the threats we think are coming at you. here's what it's going to look at, here is the precursor activities we think you will see before the actual attack. here's the composition of the malware we think you will see. here's how we think you can defeat it. what i'm interested in learning from the private sector is so tell me what you actually saw. was the malware you detected written along the lines that we anticipated or was it different? how was it different? help me understand when you respond to this what worked for you and what didn't work.
11:30 pm
how did you configure your network's? what was effective in what can you share with others who the insights of one come to the aid of many. that's the kind of back-and-forth we need. >> you made a very interesting point that i think is one of the biggest perception problems of this whole debate. he said nsa is not in the american private sector networks. can you take a couple of sentences and explain that again. i think that is so important. unfortunately i think people believe the nsa is on the private sector networks. it's not which is candidly why the bad guys have such an opportunity to swim around in there. can you talk about back? this to me as one of the most important points we can make there to the american public today about what we are trying to do and why the fact you are not on there and don't want to be in there and so forth. >> the national security agencies of foreign intelligence agency. it is not a domestic
11:31 pm
intelligence agency. u.s. persons include an entity in the form of a company. we are specifically legally limited from doing that. we do not have a presence on u.s. private networks inside companies. that is not what we are about them that is not what our mission is. it's because of that lack on our part that i'm saying what i need a partnership here. we need to exchange information and you don't want us on most private networks. >> if i was the ceo of a major bank i wouldn't want to be telling my shareholders well and essays and insider network. but i would want to tell my shareholders hey look we have a proactive sharing relationship where we are gaining the benefits of the insights that nsa is generating in terms of
11:32 pm
what is likely to come at us and we are sharing with them here is what we are doing and here's what's effective in here's what hasn't been effective. that is the relationship i think we need. >> the nsa is not on american plastic networks but the russians and the chinese and iranians and multiple bad actors are. mr. ruppersberger. >> i think the chairman has raised an important issue. it's one of the things we have been dealing with and developing legislation to protect our country to protect their businesses from losing billions of dollars. we spend lots of times negotiating takes to the committee's leadership. we have been able to put together a bill that unfortunately has not passed in the senate about the fisa bill that gives you the authority to do what you need to do. what i would like to do is to get you you in this open hearings of the public understands what the checks and balances are for the nsa and the fact that again your focus is not on american people and the
11:33 pm
argument from privacy is what could happen. i think that is good. i'm glad in this country we have privacy groups to focus on that in debate that so we can come together and learn and develop legislation that deals with the issue of privacy protections and if in fact someone in nsa breaks the law they will be held accountable. the bill that we passed and unfortunately it hasn't gone to the senate bill with a lot of issues of bulk collection. the perception unfortunately the american people is because the government controls so much of nobody's phone number address but there's a perception of the public and unfortunately the media pushed it out too but somehow nsa was and it wasn't the case. this committee came together and develop legislation to take bulk collection away from the government and now if in fact you all find a terrorist situation in yemen and you get
11:34 pm
that information and immediately turn it over to the fbi because you don't have jurisdiction in this country and then with this legislation we have has preapproved judicially impose judicial review for the fbi basically and that point can move forward and attempt to protect us if in fact we need to be protected. also we are not listening to americans at all and we are listening to america as a target. we have a judicial review. the same thing we do in the nancy's for criminal cases. but we need to have a search and seizure or wiretap we have to get to court and that's her check and balance in this country and by the way the checks and balances we have in this legislation are the most stringent of any country in the world. so it's important i think the message that has to get out now is we do have privacy concerns. we do have constitutional issues and there are checks and balances and if in fact someone does break the law they will be held accountable. i would like you to get into more specifics in the chairman
11:35 pm
royce bichon what happened tzipi to break the law and why you have checks and balances that you are not going to be listening to americans. you don't have the jurisdiction to begin with and that's turned over to the domestic side in this country for the supervision of the court. privacy groups are overseeing it in that type of thing. it's a long answer. >> in broad terms there is a legal aspect to this in the terms that there's a the terms that there's a court of law whose authority and permission we must gain to formally petition the court if we are going to do focus collection against the u.s. person. to do that we have to prove to a court of law that there is a connection with a foreign nation so they are acting as an agent of a foreign government or connected with a terrorist organization or an entity that is attempting to do harm to u.s. or u.s. persons. you have to make a legal case to a court and present a level of evidence that suggests the court should grant his position -- permission to do that.
11:36 pm
>> and that is amount articulable suspicion. >> in addition the congress as a duly represented of the citizen. the idea that our elected officials would be briefed on what we do and we'd have oversight of knowledge on what we do and how we do it that would act as representatives or citizens to make sure there's an external party monitor what we do having awareness of what we do being formally notified. you are aware do formal notifications to the committee. as a matter of record i wanted to know we are doing this and i want you know we are doing that and we brought you the following challenges. there's an oversight mechanism to this. in addition internally we have created a pretty extensive oversight and compliant set of mechanisms that govern things like how we control our data,
11:37 pm
who has access to that data. their training requirements for every one of our employees that has access to that data. we control the number of employees who have access to that data. if you look at the bulk record, the fun issue for example on the patriot act section 215 it was something on the order of approximately 30 people out of an organization and the numbers in the tens and of thousands. we try to maintain tight control of the data we been granted legal authority to collect. we don't retain that data indefinitely. we have defined windows vista how long we contain data and once we complete the window we purge the data. we don't hold data forever. we also are required to ensure that we maintain protection of the data from the moment we collected to the moment we purchase it so we still sell data. we have to remain strict control of information we have been granted authority to collect collect.
11:38 pm
when we are doing bulk collection overseas for example when we become aware of anything specifically tied to a u.s. person where to stop what we are doing and making a decision in our own mind okay as their new legal connection and is there a nation-state or group to get permission or do we just stopped collecting? we have to make that decision and we have to make a legal case if we want to continue. so there is the legal framework to what we do. there's a series of protections and oversight to what we do both external to the organization and multiple branches of our government. there's also a series of controls in place within the organization. it's one reason why i would say look, you can certainly disagree about the legalities in terms of its a lot good or is a lot bad. my responsibility is the director of nsa is to make sure we comply with the law. there shouldn't be any doubt in anybody's mind that we comply with the law and if we fail to
11:39 pm
do so we will hold ourselves accountable. >> just one thing. on the issue of threat. technology experts were recently interviewed by the pew internet and american life project and a majority of these technology experts say they believe the major cyberattack will happen between now and 2025. it will be large enough to cause significant life loss damage at the level of tens of billions of dollars. do you share those grim assessment and why or why not? >> i do. what i told my organization is i fully expect during my time as commander we are going to be passed to help defend critical infrastructure within the united states because it's under attack by some foreign nation for some individual or group. i say that because if you have highlighted, we see multiple nation-state in some cases
11:40 pm
individuals and groups that have the capability to engage in this. we have seen to date this behavior as you saw that she raised in aramco. we are seeing this destructive behavior acted on, executed. we have actually seen this cycle distraction within the corporate sector. knock on wood it's been largely outside the united states but it is happening. we have seen individuals, groups inside critical u.s. infrastructure that has a presence that suggests to us that this vulnerability is an area that others want to export. all of that leads me to believe it's only a matter of when, not if you we are going to see something dramatic. >> thank you. i yield back. >> you are saying attacks now and some you were able to repel that you are under attack today. our cybernetworks under attack
11:41 pm
today? >> people attempting to steal data and potentially people attempting to manipulate data and that is happening today. this is not something out in 2025. what you are saying is they might just get through before 2025. >> i don't think we will have to wait that long. unfortunately i think it will happen before 2025. >> mr. chair just want to thank and compliment you and ranking member ruppersberger for holding this important hearing. the committee has been a great deal of time on this issue and i think admiral rodgers your compelling testimony makes it clear to the american people that we need to redouble our efforts in this area and make sure not only are we paying attention that we are taking direct action to protect the american people and our economy from the cyber espionage as well
11:42 pm
as our military espionage. i have had the occasion to travel to china in august and was very clear that the chinese saw no difference between cyber attacks on military versus espionage and they were open to doing both of those. thank you for this important information you're putting out. as we know the technology is changing rapidly and increasing rapidly in one area that a lot of people are beginning to be engaged in and people have fears about is the area of cloud computing, mobile and cloud computing. could you talk to us as a follow-on to the ranking members question are there bad actors that you have detected and i don't know if this is classified information or not, you let the committee know are there bad actors that you have already detected in the mobile and cloud computing and how does this advance towards mobile and cloud
11:43 pm
computing change the cyber activity on cyber attacks going forward for the private sector as well as for our government? >> thank you, maam. so yes we have observed the cloud as well as mobile handheld digital advices being attacked in being exploited. the mobile arena in particular is an area where as i look to the future if you asked me what are the major trends you think we will see in the next 12 months efforts against the mobile site is one of the top three that i highlighted say hey lucas a coming trend in no small part because you look at the proliferation of devices. the greatest growth these days is not in the traditional corporate fixed large network structures. this is true for us as individuals and citizens as well as most of us in terms of business. we are all turning to mobile
11:44 pm
digital devices as vehicles to enhance your productivity our ability to work for everyone want whenever we want. the flipside is those same things that make it attractive in the ability to spread this outside of cyberspace is the ability to use it in all sorts of the murmurs and universally in anyplace. that also represents an increased potential for vulnerability. >> can you speak more specifically to back? is mobile and cloud computing in your opinion are the american people and american companies more vulnerable through mobile and cloud versus the servers or last? >> on the cloud side you can see arguments either way and though i'm supportive of the cloud id idea. one of the challenges to defen defense, the broader if you will the structure of the more you have to defend the greater the
11:45 pm
probability of people penetrating. one of the things i find attractive about the cloud is it collapses if you will your attacks into smaller. the flipside is you are putting all your eggs in one basket. that is certainly true. the flipside is i would argue this enables you to protect it a whole lot better than having multiple baskets with the eggs spread around and the baskets being all connected. i apologize for never thought i would be testifying -- today. so i'm supportive and i think it's right way to go. >> we are looking for a new cliché in the cyber discussions and you may have given it to us. >> in terms of the mobile piece it's really going to be problematic because part of the whole idea of mobile. >> and it doesn't matter which mobile device. unique distinction. >> the way the home network --
11:46 pm
the whole network is structured the idea that you will pull down whatever application you like i would only highlight those applications have a lot of potential vulnerabilities. if you look at all of us we are constantly searching for applications that make our lives more productive and make things more convenient for us and also represents a lot more potential mobility. >> i appreciate that. my time is up so i yield back. >> thank you mr. chairman in admiral thank you for your service to the country. you have i think probably the most difficult job within the i see and we are grateful that you took it on. i want to ask you a couple of questions, one on the cyber bill. one of the major differences between the house and senate proposals involves the sharing of information between the government and the private sector and what corp and what were requirements that place on the private sector to remove
11:47 pm
private information before sharing it. last month before the chamber of commerce the chamber of commerce to mention that the nsa would need or want private information as part of the cyber threat information. receiving that information got harder. given that doesn't make sense to require private companies to make a good-faith effort to strip irrelevant identifiable information before sharing cyber information with the government or other entities and on the other program you made reference to the metadata program. as you saw the usa freedom act failed to get the report -- support earlier in the senate which probably pushes back into the next year which means we will have to start all over again. is the nsa nonetheless moving forward working with the telephone companies to prepare for the new paradigm where the companies will hold onto their own data?
11:48 pm
there's nothing in statute that requires the government together data so you can move forward on your own with making technological changes so we don't have to wait until next year. we are making progress on the technological adaptions that will be made. >> sir it's a two-part question in the first part about should we attempt and if i missed please tell me should we attempt to filter out front before the date is pushed to the u.s. government or mobile privacy? >> should we as a private companies to make reasonable good-faith efforts to remove personal information before they give it to the government or share among the private sector? >> it's part of the point i was trying to make about the information up front. we should find exactly what we want and what we need and what companies are going to provide just as the company should
11:49 pm
expect the u.s. government to define exactly what you are not going to give me an share with me. i do agree with this idea that we should build this up front so we have cleared delineation before the data gets to us. we should have clear delineation of what the private sector is going to be sharing with the government. in terms of your second question could you refresh my memory? >> are you moving forward already working with the telephone companies to make whatever technological adaptions have to be made so you retain your own data collecting in bulk as both the dni and it administrations support that model. there's nothing that prohibits you from doing that. you don't have to wait for the usa freedom act. are you moving forward with those technological change is? >> the short answer is no in no small part because the corporate side has indicated we want to
11:50 pm
see what the specifics of their requirements are before we make changes or have discussions. part of the reason for that in our perspective has been the hope that we will come to a solution in the near term. one of the questions now i'm trained to consider is okay if we are unable to gain a consensus in the window that we thought what are the implications? do we need to reach out and have discussions now? >> with respect admiral there is no statutory mandate of any kind for the government to collect bulk metadata. it administrations in the dni has said it's no longer necessary. the only reason the program exists is that the government went to the fisa court to ask. there's nothing preventing the government from going back to the fisa court saying we are going to come to on a case-by-case basis and in doing so so there's no reason if you think this is a correct policy
11:51 pm
that you have to wait for the congress to mandate that you do it. >> in fact that is the current policy we are acting on right now. the president and his remarks in the 17th of january directed us to use that legal court constructs. we have been doing that since january. even as he indicated and returned to the congress enact the legislation that we have been directed to use that and we now have to go to the court to access the data. >> sues the government no longer collecting bulk metadata? >> the data continues to be provided to us and now to access the data we have to go to the court to get permission to access that data. >> but why continue to gather the bulk metadata if the administration and he and i don't think this is the best approach? >> i guess i'm confused because i don't think i've heard heard a present or the dni say that the axis to the data is not of value. what i think i have heard is the
11:52 pm
question gets to be who should hold the data but the president directed in his remarks on the 17th of january we will continue to implement the programs while the congress works to how we will make long-term changes. we'll continue to do that on the 90-day intervals of every 90 days now is to go back and asked for continued permission. >> one last comment, if the administration believes and i understand that they do, but the better model is to go to a paradigm where the companies hold onto their own data it doesn't make sense for us to continue the collection of bulk metadata. we are not legally required to and there's no reason not to move to that model and make that transition now. >> mr. langevin. >> mr. chairman and admiral thank you for being here today. you and your team are doing
11:53 pm
important work for the country. so we had a discussion a few minutes ago about things we are seeing in terms of cyber intrusions. obviously over the past several weeks the american people have seen a disturbing number of cyber related incidents including the state department, the white house, the national oceanic and atmospheric administration, the postal service and the industrial control system that comptroller critical infrastructure. now we are on this control system and these comes on the heels of other major tax such as jpmorgan chase, target, michaels, aramco the south korean banking attacks. on "60 minutes" last month the fbi director comey said there are two and i quote two
11:54 pm
companies in the u.s. hacked by the chinese and by those who don't know they have been hacked by the chinese. i guess the other nationstates doing this are criminal enterprises etc.. to date we have seen these cyber incidents being focused on, data breaches and industrial espionage but what keeps me up at night and i'm sure u.s. well is the worry that we could face a true cyberattack. we haven't really seen it occur that causes significant damage. the same kinds of attacks to cyber that traditionally you would see through the use of kinetic weapons. we know that technology is out there as you know so my question is we know who and how we respond if we saw an attack
11:55 pm
using kinetic weapons, missiles or bombs. we have the pentagon or law enforcement that would respond to protect us in those cases where the national guard. but what confidence can you give to the american people and what can you say to the american people that would give them confidence that we have a plan in place and we know how to respond if either we saw an attack in the planning stages or the order was given to be executed in it was underway and that we could stop it? at this point is there sufficient mechanisms in place absent presidential authority or would it require only presidential authority to stop them to order intervention whereby we could prevent that attack and protect our critical
11:56 pm
infrastructure etc.? basically do we have a bridge in place to deal with the bureaucratic and legal hurdles or does it take presidential authority at this point? >> the short answer is i'm comfortable that we have a broad agreement and a broad sharing of how we are going to do it. who would do well. the worlds are clearly defined it if i go back two years ago or 18 months ago we were spinning our wheels about who was going to do what. we are way past that. we have good delineation within the federal government as to who has what responsibilities. we have broad agreement as to how we would provide the capability on the attacks against critical infrastructure. clearly presidential authority is required for part of it. for example for meet the entity to provide support in the u.s.
11:57 pm
to partner with others outside the dod. that is required as of part of the response for example would be effective capability. yes i would need approval of the presence do that. we have got broad agreement a fact that the challenge to me is we got to move beyond a broad agreement and get down to the execution level. i come from a military culture and the military culture teaches us to take those broad concepts of agreement and then you train and exercise and you do it over and over. that's what we have done. >> the cyber crimes are espionage the hundreds of billions of dollars in cyber espionage some of which is highly methodical and systematic. that is a threat to the american economy and competitors. when does that become economic warfare and how do we respond?
11:58 pm
>> first of all i think we are still trying to come to grips with when does it become its? we try to differentiate between the capabilities of the nation-state in understanding the world around us versus the capabilities of the nation-state against the private sector of another nationstates general economic advantage. that's a major, among the differences between us and our chinese counterparts. we don't use our capabilities to go after private industry and other nations to use that as a vehicle to gain an economic advantage. it's not what we do. to your broader question shorter answers we are clearly trying to work our way through all those issues. we tend to treat it right now you talk about criminal actors we tend to treat it as a law enforcement issue so the fbi issue with director comey. i would argue clearly that
11:59 pm
approach is not achieving the results we want. we are spending our time dealing with the repercussions and what i would like to do with how could we forestall those penetrations in the first place and as we have talked today that's about those norms in the worlds of behavior and those ideas of deterrence. clearly there is a lot of work to do. >> think you admiral. i appreciate the work you are doing in my time has expired. thank you for what you are doing. i yelled back. >> ms. ms. czajkowski there is about one minute and 15 seconds left. >> i'm good to be very brief. on the other side of this what can you say to assure the american people and the absence of legislation that would address their concerns over the selection of metadata and concerns about privacy that despite the failure of the congress to pass legislation
12:00 am
what you may be doing differently that could assure them their privacy is protected? >> the president indicated while i haven't seen an essay undermining the rights of the privacy were citizens i'm concerned about the potential. therefore i'm going to overlay a couple of additional requirements. for example the metadata. i want you to now go to the court and use your own authori authority. now i want to go to the fisa court. he also directed we used to be able when we went into those instances when we went to the data we used to be able to do what we call three hops in the amount of time could follow the string so to speak. the

29 Views

info Stream Only

Uploaded by TV Archive on